samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: OOB while accessing ML IE

Browse Source 
Currently, in function "util_get_ml_bv_partner_link_info" driver
access the ML IE memory with offset which is calculated from ML IE
length and increment this offset with other values (such as
perstaprof_stainfo_len). But this can lead to OOB for ML IE when
this offset value is increment beyond ML IE length.

So, to fix this, add check for offset before accessing ML IE.

Change-Id: Ie7312ab3379fce16e5b0f83d07d46f263f774ed8
CRs-Fixed: 3710085
This commit is contained in:
Rahul Gusain
2024-01-29 12:55:49 +05:30
committed by Ravindra Konda
parent f323c32b7d
commit b2253d3444
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
umac/scan/dispatcher/src/wlan_scan_utils_api.c
View File

@@ -2293,8 +2293,11 @@ util_get_ml_bv_partner_link_info(struct wlan_objmgr_pdev *pdev,
}
scan_entry->ml_info.num_links = link_idx;
if (!offset)
if (!offset ||
(offset + sizeof(struct wlan_ml_bv_linfo_perstaprof) >= ml_ie_len)) {
scm_err_rl("incorrect offset value %d", offset);
return;
}
/* TODO: loop through all the STA info fields */
@@ -2338,6 +2341,10 @@ util_get_ml_bv_partner_link_info(struct wlan_objmgr_pdev *pdev,
/* Skip STA Info Length field */
offset += perstaprof_stainfo_len;
if (offset >= ml_ie_len) {
scm_err_rl("incorrect offset value %d", offset);
return;
}
/*
* To point to the ie_list offset move past the STA Info